3

I've installed Splunk (4.1.5(85165) on windows) and have uploaded some logs without any issues.

I now want to monitor a linux server, but I'm having problems adding the datasource and always get the message:

Encountered the following error while trying to save: In handler 'monitor': Path must be absolute.

I'm using Splunk Web and have set the host field value to the two servers IP address and the full path on server to /var/log (and tried various other combinations).

On the Linux server I've added *.*@192.168.254.100 to syslog.conf.

I've read the manual, but it doesn't really help. and I'm finding a lack of tutorials. Pretty much thinking of abandoning the idea of Splunk now. I'm obviously missing some sort of basic information here. Can anyone help out? Being pointed in the direction of some decent tutorials would be good...

I'm having trouble understand how all this data gets sent to Splunk and how Splunk intercepts/retrieves it.

Mr Shoubs
  • 363
  • 2
  • 9
  • 32

1 Answers1

6

Splunk's "monitor" can only read files that are on the machine it's running on (or on drives mounted over the network that can be read from the machine it's running on). The "host" field may make it look like it can read from another machine, but it's there to identify what computer the file came from, not to connect to a remote host. This page has various ideas for setting up Splunk on a network. It looks like running Splunk on every machine and having them forward the logs to the central indexer is the "best practice", since it gives you access to log files not controlled by syslog (eg apache logs) and the local Splunk systems will hold the data if the main Splunk server goes down. Otherwise, if you're going to use syslog, this page provides some instructions on how to setup syslog-ng in windows to receive the syslog messages, then set up Splunk to read from syslog-ng.

DerfK
  • 19,313
  • 2
  • 35
  • 51
  • 1
    It should be noted that Splunk also provides the option of receiving syslog messages directly. – Skyhawk Oct 14 '10 at 13:25
  • Thanks. How does it receive syslog messages directly? I've added the forwarder in the syslog.conf file and restarted the service... It is also listening on UDP:514 and is currently recieving syslog from vmware, but not from the linux boxes. – Mr Shoubs Oct 14 '10 at 13:48
  • It looks as if you've configured your linux hosts to forward all syslog messages to 192.168.254.100, I guess this is your Splunk host? If so, try restarting syslog (or forcing it to re-read the config file). – Vatine Oct 14 '10 at 14:07
  • yes, 100 is splunk host... I've restarted syslog, but not receiving anything... firewall ports are all open.... does *.*@192.168.254.100 automatically send data to UDP:514? – Mr Shoubs Oct 14 '10 at 14:10
  • Do you have at least one space or tab after *.* and before @? syslog.conf expects all of the settings to be two columns, the first column is what to log (eg "*.*") and the second column is where to log it to (eg "@192.168.254.100") – DerfK Oct 14 '10 at 18:27